National Vulnerability Database
The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data, providing detailed information on publicly disclosed cybersecurity vulnerabilities and misconfigurations in software, hardware, and systems.[1] Maintained by the National Institute of Standards and Technology (NIST) under the Department of Commerce, the NVD enriches records from the Common Vulnerabilities and Exposures (CVE) program with severity scores using the Common Vulnerability Scoring System (CVSS), weakness types via the Common Weakness Enumeration (CWE), impact assessments, remediation guidance, and references to support automated security processes.[2] Represented using the Security Content Automation Protocol (SCAP), an NIST-developed suite of specifications, the database facilitates interoperability for vulnerability scanning, compliance checking, and risk management across federal agencies and the private sector.[1] Originating from NIST's early efforts in vulnerability cataloging, the NVD evolved from the Internet Categorization of Attacks Toolkit (I-CAT) launched online in 1999 with an initial set of 644 vulnerabilities, which was later rebranded and expanded into the NVD in 2005 to serve as a comprehensive national resource.[3] As of November 2025, the database contains 318,389 vulnerability records, covering millions of product configurations via the Common Platform Enumeration (CPE) dictionary, reflecting its role in sustaining the global vulnerability management ecosystem amid rising cyber threats.[3][4] Key features include searchable feeds for real-time updates, metrics calculators for CVSS scoring, and integration with NIST's National Checklist Program for secure configuration guidance, all aimed at enabling organizations to automate security measurements and achieve compliance with standards like the Federal Information Security Modernization Act (FISMA).[2] The NVD's data is freely accessible with daily updates, though processing backlogs have grown since 2024, leaving over 26,000 recent CVEs awaiting full analysis; it draws from CVE assignments and vendor reports to provide timely, authoritative insights that inform patching priorities and threat mitigation worldwide.[1]Overview
Purpose and Scope
The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data, maintained by the National Institute of Standards and Technology (NIST).[1][5] This repository serves as a centralized source for structured information on cybersecurity vulnerabilities, enabling organizations to identify, assess, and mitigate risks in information systems.[1] The NVD utilizes the Security Content Automation Protocol (SCAP), a suite of interoperable specifications developed by NIST for the standardized expression, exchange, and automated processing of vulnerability and configuration data.[6][5] SCAP ensures that vulnerability information is represented in a machine-readable format, facilitating interoperability across security tools and supporting automated analysis without manual intervention.[6] The primary mission of the NVD is to automate vulnerability management, security measurement, and compliance reporting, with a focus on supporting federal agencies in fulfilling requirements under the Federal Information Security Management Act (FISMA).[1][5] By providing timely and reliable data, it helps agencies conduct continuous monitoring and risk assessments for their information technology systems.[7] The scope of the NVD covers security-related flaws in software, hardware, and product configurations, including both commercial off-the-shelf and open-source technologies.[1] It includes detailed records on vulnerability impacts, external references, and assessment metrics, such as those derived from the Common Vulnerability Scoring System (CVSS).[1] The NVD builds upon the Common Vulnerabilities and Exposures (CVE) program by enriching CVE entries with SCAP-compliant analysis.[1]Relationship to CVE
The Common Vulnerabilities and Exposures (CVE) program, managed by MITRE Corporation under the auspices of the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), serves as a foundational dictionary of publicly disclosed cybersecurity vulnerabilities, assigning each a unique identifier and basic descriptive information.[8][9] The National Vulnerability Database (NVD), operated by the National Institute of Standards and Technology (NIST), functions as an enrichment layer atop this CVE List, integrating and augmenting the data to enhance its utility for vulnerability management.[10][9] NVD maintains synchronization with the CVE program through an automated process where it periodically pulls the latest CVE entries from MITRE's repository, ensuring that all vulnerabilities in NVD are derived from CVE identifiers.[10][9] Upon ingestion, NVD adds value by incorporating additional metadata, such as structured assessments and references, which transform the basic CVE records into more actionable intelligence for security practitioners.[9] This enrichment process aligns with Security Content Automation Protocol (SCAP) standards to facilitate standardized vulnerability representation.[10] A primary distinction between CVE and NVD lies in their scope and depth: CVE provides only essential identifiers (e.g., CVE-ID) and high-level descriptions without analytical scoring or product-specific mappings, whereas NVD extends this with comprehensive, structured analysis to support automated tools and risk prioritization.[9][8] For instance, NVD uniquely assigns Common Product Enumeration (CPE) strings to delineate affected products and versions, enabling precise querying and integration in security software—a capability absent in the core CVE dataset.[8][9] This layered approach ensures NVD delivers broader usability while preserving CVE as the authoritative source for vulnerability identification.[10]History
Establishment and Early Development
The National Vulnerability Database (NVD) originated in 1999 as the ICAT Metabase, a prototype system developed by the National Institute of Standards and Technology (NIST) to catalog known software vulnerabilities for federal cybersecurity purposes.[3] This initial effort began with 644 vulnerability records, focusing on documenting security flaws to aid in risk assessment and mitigation within government IT systems.[3] The ICAT Metabase served as an early repository, integrating data from sources like the CERT Coordination Center to provide structured information on attack patterns and defenses.[11] In 2005, the system was rebranded and relaunched as the NVD to meet requirements under the Federal Information Security Management Act (FISMA) of 2002, which mandated NIST to establish standards and guidelines for federal information security, including a centralized vulnerability repository.[12] This transition enhanced the database's role in supporting FISMA compliance by automating vulnerability management for federal agencies.[13] Managed by NIST's Computer Security Division, the NVD emphasized accessibility for federal IT system users and software developers, offering enriched data beyond basic identifiers.[11] From its inception, the NVD provided detailed vulnerability histories, usage statistics, and trend analyses to inform security practices, drawing on Common Vulnerabilities and Exposures (CVE) entries augmented with metrics like severity scores.[13] By 2021, the database had expanded to over 180,000 vulnerabilities, reflecting the proliferation of cyber threats and the growing need for comprehensive threat intelligence across public and private sectors.[3]Key Milestones and Updates
In March 2013, the National Vulnerability Database (NVD) experienced a significant security incident when it was taken offline due to a malware infection that had compromised its servers for at least two months, affecting several other NIST-hosted U.S. government websites.[14] The compromise, detected through unusual outbound traffic by a firewall, stemmed from unpatched vulnerabilities in Adobe ColdFusion software, prompting NIST to restore the system from clean backups and implement enhanced security measures.[15] On October 21, 2021, the NVD introduced API keys as a mechanism to manage access and mitigate excessive usage, allowing registered users to include keys in requests for higher rate limits and improved service reliability.[16] This update addressed growing demand from the cybersecurity community, with API keys enabling prioritized access without throttling for keyholders.[17] In March 2022, the NVD enforced stricter API rate limits for users without keys, capping unauthenticated requests at 5 per 30-second window to prevent overload, while keyholders received limits of 50 requests in the same period.[17] Later that year, in September 2022, the NVD released version 2.0 of its APIs in open beta, expanding data feeds by incorporating previously feed-exclusive information—such as detailed vulnerability metrics—directly into API responses for more efficient retrieval.[18] The full rollout in late 2022 marked a shift toward modernized, JSON-based data dissemination, retiring legacy 1.0 APIs by December 2023.[19] A backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) emerged in 2024 amid a 32% surge in submissions, straining NVD's enrichment capacity.[20] In June 2024, the NVD announced official support for Common Vulnerability Scoring System (CVSS) version 4.0, the latest iteration released by FIRST.org in November 2023, enabling more nuanced severity assessments with new metrics for attack requirements and user interaction.[21] This adoption continued into 2025 with API 2.0 enhancements, including schema updates for CVSS v4.0 integration and added parameters for filtering by CISA Known Exploited Vulnerabilities (KEV) dates, improving data retrieval for threat prioritization.[20] In April 2025, the NVD implemented a policy shift by marking all CVEs published before January 1, 2018, as "Deferred," ceasing further enrichment efforts on these older entries to redirect resources toward recent threats and reduce the growing backlog.[20] This change, effective from April 2, 2025, includes a prominent banner on affected CVE detail pages, while ensuring KEV-designated vulnerabilities receive priority regardless of age.[20] In May 2025, the NVD introduced version 2.0 data feed files, with legacy files remaining available until August 20, 2025.[20] On July 24, 2025, NIST deployed updates including a redesigned Vulnerability Search Page, addition of CISA KEV date filtering parameters (kevStartDate and kevEndDate) to the /cves/ API endpoint, and an update to the API schema to version 2.2.3.[20] Legacy data feed files, such as 1.1 Vulnerability Feeds, CPE Match 1.0, and the XML CPE Dictionary, were decommissioned on August 20, 2025.[20] In September 2025, the API key provisioning process was updated to use an online form for requests.[20]Operations and Data Enrichment
Data Sources
The National Vulnerability Database (NVD) primarily draws its core vulnerability data from the Common Vulnerabilities and Exposures (CVE) Program, which is maintained by MITRE Corporation under sponsorship from the U.S. Department of Homeland Security (DHS).[9] The CVE List serves as the foundational input, providing unique identifiers (CVE-IDs) and initial descriptions for publicly disclosed cybersecurity vulnerabilities, enabling the NVD to catalog and reference over 318,000 records as of November 2025.[4][9] Secondary sources supplement the CVE data with additional context and details, including vendor advisories that outline specific product impacts and remediation steps from affected software providers.[9] Security researcher reports, often submitted directly or referenced in CVE records, contribute technical insights into exploit mechanisms and discovery circumstances.[9] Public disclosures, sourced through manual searches of open internet resources, further enrich the dataset by capturing broader community-reported information on vulnerabilities.[9] The NVD integrates the Common Weakness Enumeration (CWE) to classify the underlying software weaknesses associated with each CVE, using the CWE-1003 Technology view developed in coordination with the MITRE CWE team.[9] Similarly, the Common Platform Enumeration (CPE) is incorporated to precisely identify affected products and versions through standardized naming conventions. For configuration and checklist data, the NVD incorporates SCAP-validated content from partners such as the CERT Coordination Center (CERT/CC), which provides coordinated vulnerability notes and security baselines aligned with the Security Content Automation Protocol (SCAP).Enrichment Process
The National Vulnerability Database (NVD) enrichment process transforms raw Common Vulnerabilities and Exposures (CVE) records into comprehensive, structured vulnerability intelligence by adding analytical metadata through a combination of automated ingestion and manual expert review. This workflow, managed by the National Institute of Standards and Technology (NIST), begins shortly after a CVE is published by a CVE Numbering Authority (CNA) and focuses on enhancing usability for cybersecurity practitioners, with supplementation from external sources via the CISA Vulnrichment program launched in May 2024.[9][22][11] The process starts with intake, where newly published CVEs are automatically ingested into the NVD dataset within approximately one hour of their release on the official CVE List. During this phase, the NVD pulls the CVE's description, initial references, and any provided supplemental data from the CNA. This rapid ingestion ensures timely availability of basic vulnerability information, setting the stage for deeper analysis.[9][10] Following intake, analysis is conducted by NVD team members, involving both automated tools and manual examination to evaluate the vulnerability's severity, potential impact, and supporting references. Analysts review the CVE description, CNA-supplied links, and additional public sources—such as vendor advisories, security bulletins, and research reports—to identify key attributes. If details are incomplete or ambiguous, the team applies a worst-case scenario approach to ensure conservative assessments. This step includes determining exploit availability by checking for evidence of active exploitation in public databases or reports. The analysis culminates in the addition of structured data, such as Common Weakness Enumeration (CWE) mappings from the CWE-1003 view to classify the root cause, Common Platform Enumeration (CPE) applicability statements to specify affected products and versions, and expanded reference links tagged for relevance (e.g., vendor, exploit, or mitigation). Enrichment may also incorporate data from the Vulnrichment program, attributed to contributors like CISA-ADP.[9][23][10][24] A core component of enrichment is the assignment of Common Vulnerability Scoring System (CVSS) scores, which quantify the vulnerability's risk using standardized metrics. NVD analysts develop vector strings for CVSS v3.1 (featuring eight base metrics like Attack Vector, Privileges Required, and Confidentiality Impact) and CVSS v4.0 (with eleven base metrics, including enhanced exploitability factors like Attack Requirements). These base scores focus on intrinsic characteristics, while temporal metrics (e.g., Exploit Code Maturity) and environmental metrics (e.g., modified base scores for specific deployments) are incorporated if sufficient public data supports them. The workflow divides into initial analysis, where a team member constructs the scores and metadata, followed by verification by a second experienced analyst to ensure accuracy and compliance with FIRST.org specifications. CVSS v2.0 scores are no longer generated for new CVEs as of July 2022 but remain for historical records.[25][26][9] Once enrichment is complete, the updated CVE record undergoes quality assurance review by a senior team member before publication in the NVD. The overall timeline for enrichment varies based on factors like CVE complexity, availability of information, and publication volume, with high-priority vulnerabilities often processed within days, though the process can extend longer during peak periods. As of November 2025, there is a backlog of approximately 26,744 CVEs awaiting analysis, which the Vulnrichment program helps address by enabling external enrichment contributions. Enriched data is then disseminated via NVD feeds, enabling automated tools and organizations to prioritize remediation effectively.[9][10][23][4]Features and Tools
Search and Access Methods
The National Vulnerability Database (NVD) provides a web-based search dashboard accessible at https://nvd.nist.gov/vuln/search, enabling users to query vulnerabilities using parameters such as CVE ID, keywords from descriptions, CVSS scores, and publication dates.[27] This interface supports advanced filtering options, including by severity levels, affected products via Common Platform Enumeration (CPE), and time ranges, with results displayed in a tabular format listing identifiers, publication dates, assigning organizations, and brief descriptions.[27] The dashboard was redesigned on July 24, 2025, to enhance usability with improved search capabilities and redirected legacy paths to new endpoints for records and statistics views.[20] Vulnerability detail pages, available at paths like https://nvd.nist.gov/vuln/detail/CVE-XXXX-XXXXX, offer comprehensive information on individual entries, including structured summaries of the issue, CVSS v3.1 and v4.0 metric scores with vector strings, weakness enumerations via Common Weakness Enumeration (CWE), and curated references to advisories, patches, and external sources.[28] These pages also integrate related data such as affected configurations and Known Exploited Vulnerabilities (KEV) indicators from CISA, providing contextual metrics like base, temporal, and environmental scores to assess impact.[28] The NVD includes dedicated statistics views, such as the dashboard at https://nvd.nist.gov/general/nvd-dashboard, which visualizes trends including severity distributions across CVSS categories (e.g., Critical: 28,144; High: 71,462 as of October 2025) and publication rates (e.g., 1,865 new CVEs received in October 2025).[4] Additional trend insights cover backlog status, with 26,744 vulnerabilities awaiting analysis (as of October 2025), and historical processing volumes to illustrate operational scale.[4] The search interface's statistics tab further aggregates data on recent publications, highlighting patterns like high-severity counts within specified date ranges.[29] Access to all NVD content is free and publicly available without registration, as it operates as an official U.S. government resource under NIST.[1] Users can subscribe to email notifications for general NIST updates, which may include cybersecurity and NVD-related announcements, via the agency's subscription services.[30] For advanced programmatic access, the web interface integrates with NVD APIs, though detailed endpoint usage is handled separately.[31]APIs and Data Feeds
The National Vulnerability Database (NVD) provides programmatic access to its vulnerability data through APIs and data feeds, enabling automated integration into external systems for vulnerability management. The primary interface is the CVE API version 2.0, which allows users to retrieve detailed information on individual Common Vulnerabilities and Exposures (CVEs) or bulk collections via RESTful endpoints. As of October 2025, this API supports access to 318,389 CVE records stored in the NVD.[31] The CVE API operates using HTTP GET requests with parameters for filtering, such as keyword searches, date ranges, and configuration specifics, returning results in JSON format adhering to the cve_api_json_2.0 schema. This schema structures responses to include fields for vulnerability metrics (e.g., CVSS scores and vectors) and references (e.g., external links to advisories and exploits), facilitating structured queries for analysis. Pagination is enforced via offset-based parameters like startIndex and resultsPerPage to handle large datasets efficiently.[31][32] Complementing the API, NVD offers data feeds in both JSON (version 2.0) and XML formats, designed for periodic bulk downloads of vulnerability information. These include full yearly feeds covering all CVEs published in a given year (e.g., nvdcve-2.0-2025.json.gz), recent feeds capturing vulnerabilities from the last eight days, and modified feeds for entries published or updated within the same timeframe, with updates occurring every two hours.[33] Access to the CVE API requires an API key for optimal performance, introduced in October 2021 to manage demand and enhance service reliability; enforcement of reduced rates for unauthenticated requests began in March 2022. Without a key, users are limited to 5 requests per 30-second rolling window, while registered keys permit up to 50 requests in the same period, with best practices recommending a 6-second delay between calls to avoid throttling. Data feeds do not require keys but suggest limiting downloads to under 200 requests per day based on metadata guidance.[34][35][17] These APIs and feeds are commonly integrated into Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) tools to automate vulnerability scanning and prioritization workflows.[35] Since July 2024, the NVD has incorporated CISA's Vulnrichment data to provide preliminary CVSS scores and CWE mappings for vulnerabilities, enhancing access to enriched information while addressing analysis backlogs.[16]Impact and Usage
Role in Cybersecurity
The National Vulnerability Database (NVD) serves as a cornerstone in cybersecurity by providing standardized, enriched vulnerability data that underpins risk assessment, mitigation, and compliance efforts worldwide. Maintained by the National Institute of Standards and Technology (NIST), the NVD applies structured metadata, such as Common Vulnerabilities and Exposures (CVE) identifiers and Common Platform Enumeration (CPE) details, to facilitate informed decision-making across sectors. This role extends to enabling organizations to identify, prioritize, and remediate software and hardware flaws efficiently, thereby reducing the attack surface in complex IT environments.[1] In the realm of federal cybersecurity, the NVD plays a pivotal role in supporting compliance with the Federal Information Security Modernization Act (FISMA) by delivering authoritative, machine-readable data that aligns with Security Content Automation Protocol (SCAP) standards. Federal agencies rely on this standardized information to conduct continuous monitoring, assess system vulnerabilities, and report security postures as required under FISMA, ensuring that vulnerability management processes are auditable and consistent. For instance, the NVD's security checklist references and impact metrics help agencies integrate vulnerability data into broader risk management frameworks, streamlining FISMA-mandated reporting and remediation activities.[1][36] For software developers and security teams, the NVD enhances vulnerability prioritization through enriched metrics, including Common Vulnerability Scoring System (CVSS) scores that quantify severity based on exploitability and impact. These metrics allow developers to triage flaws during the software development lifecycle, focusing resources on high-risk issues, while security teams use the data to align remediation efforts with organizational threat models. By providing detailed references to affected products and configurations, the NVD empowers proactive patching and code hardening, ultimately fostering more secure software ecosystems.[25][37] The NVD integrates seamlessly into cybersecurity tools such as Cloud-Native Application Protection Platforms (CNAPPs), Security Information and Event Management (SIEM) systems, and patch management solutions, enabling automated vulnerability scanning and remediation workflows. Through SCAP-compliant feeds and APIs, these tools ingest NVD data to correlate vulnerabilities with live assets, automate alert generation, and orchestrate patches, thereby accelerating response times in dynamic environments like cloud infrastructures. This integration supports scalable, real-time threat hunting and compliance enforcement across enterprise networks.[1][12][38] On a global scale, the NVD contributes to international vulnerability standards by offering free, publicly accessible data that influences handling practices beyond U.S. borders, serving as a de facto reference for vulnerability intelligence in collaborative efforts. Its alignment with protocols like CVE and SCAP promotes interoperability among global security communities, enabling organizations worldwide to adopt consistent scoring and enumeration methods for cross-border threat sharing and mitigation strategies. This open dissemination of enriched data bolsters collective cybersecurity resilience without proprietary barriers.[1][39][40]Statistics and Trends
As of November 2025, the National Vulnerability Database (NVD) maintains a comprehensive repository of 318,389 Common Vulnerabilities and Exposures (CVEs), reflecting the expansive landscape of disclosed cybersecurity vulnerabilities.[4] This total encompasses vulnerabilities analyzed and enriched by the NVD team, with 43,005 new CVEs received in 2025 alone, of which 36,574 have been fully analyzed and integrated into the database.[4] These figures underscore the NVD's central role in cataloging and disseminating vulnerability data to support global cybersecurity efforts. The severity distribution of CVEs scored under the Common Vulnerability Scoring System (CVSS) version 3 provides insight into the risk profiles within the database. As shown in the table below, the majority fall into medium and high severity categories, highlighting the prevalence of significant threats.| Severity Level | Number of CVEs | Percentage |
|---|---|---|
| Critical | 28,144 | 15.8% |
| High | 71,462 | 40.2% |
| Medium | 75,288 | 42.3% |
| Low | 3,017 | 1.7% |